Djam/python38
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/python38.git synced 2025-02-23 15:22:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
python38/CVE-2019-16056.patch
Mikhail Novosyolov 8058c8b2db Fix CVE-2019-16056, CVE-2019-16935 and race in test_docxmlrpc 
https://usn.ubuntu.com/4151-1/
* SECURITY UPDATE: incorrect email address parsing
- CVE-2019-16056.patch: don't parse domains containing @ in
  Lib/email/_header_value_parser.py, Lib/email/_parseaddr.py,
  Lib/test/test_email/test__header_value_parser.py,
  Lib/test/test_email/test_email.py.
* SECURITY UPDATE: XSS in documentation XML-RPC server
- CVE-2019-16935.patch: escape the server_title in Lib/xmlrpc/server.py, Lib/test/test_docxmlrpc.py.
* avoid_test_docxmlrpc_race.patch: avoid race in
  test_docxmlrpc server setup in Lib/test/test_docxmlrpc.py.
2019-10-10 01:30:49 +03:00

107 lines
4.7 KiB
Diff
Raw Blame History

From 063eba280a11d3c9a5dd9ee5abe4de640907951b Mon Sep 17 00:00:00 2001
From: Abhilash Raj <maxking@users.noreply.github.com>
Date: Fri, 6 Sep 2019 22:24:05 -0700
Subject: [PATCH] [3.5] bpo-34155: Dont parse domains containing @ (GH-13079)
(#15317)
https://bugs.python.org/issue34155
(cherry picked from commit 8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9)
Co-authored-by: jpic <jpic@users.noreply.github.com>
---
Lib/email/_header_value_parser.py | 2 ++
Lib/email/_parseaddr.py | 11 ++++++++++-
Lib/test/test_email/test__header_value_parser.py | 10 ++++++++++
Lib/test/test_email/test_email.py | 14 ++++++++++++++
.../2019-05-04-13-33-37.bpo-34155.MJll68.rst | 1 +
5 files changed, 37 insertions(+), 1 deletion(-)
create mode 100644 Misc/NEWS.d/next/Security/2019-05-04-13-33-37.bpo-34155.MJll68.rst
Index: python3.5-3.5.2/Lib/email/_header_value_parser.py
===================================================================
--- python3.5-3.5.2.orig/Lib/email/_header_value_parser.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/email/_header_value_parser.py 2019-10-07 09:01:59.361357315 -0400
@@ -1966,6 +1966,8 @@ def get_domain(value):
token, value = get_dot_atom(value)
except errors.HeaderParseError:
token, value = get_atom(value)
+ if value and value[0] == '@':
+ raise errors.HeaderParseError('Invalid Domain')
if leader is not None:
token[:0] = [leader]
domain.append(token)
Index: python3.5-3.5.2/Lib/email/_parseaddr.py
===================================================================
--- python3.5-3.5.2.orig/Lib/email/_parseaddr.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/email/_parseaddr.py 2019-10-07 09:01:59.361357315 -0400
@@ -379,7 +379,12 @@ class AddrlistClass:
aslist.append('@')
self.pos += 1
self.gotonext()
- return EMPTYSTRING.join(aslist) + self.getdomain()
+ domain = self.getdomain()
+ if not domain:
+ # Invalid domain, return an empty address instead of returning a
+ # local part to denote failed parsing.
+ return EMPTYSTRING
+ return EMPTYSTRING.join(aslist) + domain
def getdomain(self):
"""Get the complete domain name from an address."""
@@ -394,6 +399,10 @@ class AddrlistClass:
elif self.field[self.pos] == '.':
self.pos += 1
sdlist.append('.')
+ elif self.field[self.pos] == '@':
+ # bpo-34155: Don't parse domains with two `@` like
+ # `a@malicious.org@important.com`.
+ return EMPTYSTRING
elif self.field[self.pos] in self.atomends:
break
else:
Index: python3.5-3.5.2/Lib/test/test_email/test__header_value_parser.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_email/test__header_value_parser.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/test/test_email/test__header_value_parser.py 2019-10-07 09:01:59.361357315 -0400
@@ -1418,6 +1418,16 @@ class TestParser(TestParserMixin, TestEm
self.assertEqual(addr_spec.domain, 'example.com')
self.assertEqual(addr_spec.addr_spec, 'star.a.star@example.com')
+ def test_get_addr_spec_multiple_domains(self):
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@a.star@example.com')
+
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@a@example.com')
+
+ with self.assertRaises(errors.HeaderParseError):
+ parser.get_addr_spec('star@172.17.0.1@example.com')
+
# get_obs_route
def test_get_obs_route_simple(self):
Index: python3.5-3.5.2/Lib/test/test_email/test_email.py
===================================================================
--- python3.5-3.5.2.orig/Lib/test/test_email/test_email.py 2019-10-07 09:01:59.365357330 -0400
+++ python3.5-3.5.2/Lib/test/test_email/test_email.py 2019-10-07 09:01:59.361357315 -0400
@@ -2999,6 +2999,20 @@ class TestMiscellaneous(TestEmailBase):
self.assertEqual(utils.parseaddr('<>'), ('', ''))
self.assertEqual(utils.formataddr(utils.parseaddr('<>')), '')
+ def test_parseaddr_multiple_domains(self):
+ self.assertEqual(
+ utils.parseaddr('a@b@c'),
+ ('', '')
+ )
+ self.assertEqual(
+ utils.parseaddr('a@b.c@c'),
+ ('', '')
+ )
+ self.assertEqual(
+ utils.parseaddr('a@172.17.0.1@c'),
+ ('', '')
+ )
+
def test_noquote_dump(self):
self.assertEqual(
utils.formataddr(('A Silly Person', 'person@dom.ain')),
Reference in a new issue View git blame Copy permalink